The latest attempt by the US government to ensure some kind of security standards for its critical infrastructure has failed, with Senate Republicans having blocked legislation over concerns at over-regulation of business and the weighing-down of the bill with useless ammendments.
"Despite the President’s repeated calls for Congress to act on this legislation, and despite pleas from numerous senior national security officials from this Administration and the Bush Administration, the politics of obstructionism, driven by special interest groups seeking to avoid accountability, prevented Congress from passing legislation to better protect our nation from potentially catastrophic cyber-attacks," said the White House in a statement.
The US Cybersecurity Act 2012 originally called for mandatory security standards to be enforced for companies forming the US national critical infrastructure – a rather nebulous term used to cover power, communications, water and the other stuff that makes life relatively safe and bearable. The government only has oversight of around 20 per cent of this, with private companies running the rest.
After the Republicans enforced a filibuster, the bill failed to meet the 60 votes required at a 52-48 split, with five Republicans and five Democrats crossing the floor. The US Chamber of Commerce, a lobbying group which was in the vanguard of opposition to the bill, applauded the vote.
"While we thank the co-sponsors for their efforts on the issue of cybersecurity, the legislation voted down today would have given the federal government too much control over what actions the business community could take to protect its computers and networks," Ann Beauchesne, its VP of National Security told El Reg in an emailed statement
Owing to the peculiar nature of the US legislative system, various irrelevant amendments were tacked onto the plan, including two to limit abortion, a motion to limit the sale of high capacity gun magazines, and an amendment by Senate Minority Leader Mitch McConnell (R-Kentucky) to repeal the Affordable Care Act.
The bill was watered down to down to make security standards voluntary but that wasn't enough to appease critics. The legislation also worried civil liberties groups with its lack of privacy protections, although these were in part addressed.
"Regardless of today's vote, the issue of cybersecurity is far from dead,” said Michelle Richardson, ACLU legislative counsel, in a statement. "When Congress inevitably picks up this issue again, the privacy amendments in this bill should remain the vanguard for any future bills. We'll continue to work with Congress to make sure that the government’s cybersecurity efforts include privacy protections. Cybersecurity and our online privacy should not be a zero sum game."
The failure of the bill will leave many in the security industry seriously concerned. At last month's Black Hat and DEFCON meetings, current and former government representatives warned that the situation for the US in cybersecurity terms was dire. General Keith Alexander, director of the NSA and head of US Cyber Command, called for the hacking community to help keep America safe.
Based on what attendees were telling El Reg, the security community is perfectly happy to share information with the government, so long as it's a two-way street. The most common complaint is that government wanted all their hacks, but offered nothing in return when it came to locking down anyone else's systems.
The Cybersecurity Act would have formalized some kind of information sharing, and the House of Representatives' passing CISPA also seeks to set up a framework for collating data. But the security industry traditionally hasn't needed legislation in the past to share information on a common threat.
Ever since the early days of the antivirus industry, the top researchers have shared information with commercial rivals on new threats. The first person to bag malware gets naming rights, but data is shared because security was more important that making a buck. This El Reg hack wonders if a similar system might work better than a government mandated one for cybersecurity. ®